SD Integrity level?

Apologies up front if I am asking gibberish here… it has been some 5
years since I dabbled with Integrity Levels.

How does a driver query and set the integrity level for a file, i.e.
how do I also query/set the Integrity Level when querying/setting a
file’s SD?

How does a driver query and set the integrity level for a file, i.e.
how do I also query/set the Integrity Level when querying/setting a
file’s SD?

Integrity lavel is represented by a mandatory label ACE stored in descriptor’s SACL. So, you need to query object’s SACL, add the ACE into it (or possibly modify existing one) and save new SACL into the descriptor (RtlSetSaclSecurityDescriptor). Then, you may use something like ZwSetSecurotyObject to change the security descriptor of the object. I think the SecurityInformation parameter may contain a flag indicating that you wish to set just the integrity level (and poissibly the mandatory integrity policy).